Configure the Oracle
Internet Directory Authentication provider

You use Oracle Internet
Directory Authentication provider to access user and group information
stored in the Oracle Internet Directory LDAP V3 service.

Note that each security realm must have at least one Authentication
provider configured. The Control Flag attribute determines how the
LoginModule for each Authentication provider is used in the
authentication process. For more information, see Set the JAAS control
flag.

If the Oracle Internet Directory Authentication provider is the only
Authentication provider configured in the security realm, make sure that
the LDAP user who boots WebLogic Server is added to a group that is
assigned to the Admin role. Otherwise, WebLogic Server cannot be booted.
If the Oracle Internet Directory Authentication provider fails to
connect to the LDAP server, or throws an exception, make sure the
configuration settings for this provider are set correctly as described
in the steps that follow. For more information about these configuration
settings, see Configuring Users and Groups in the Oracle Internet
Directory and Oracle Virtual Directory Authentication
Providers.

To configure the Oracle
Internet Directory Authentication provider:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).

In the left pane, select Security Realms
and click the name of the realm you are configuring (for example,
myrealm).

Select
Providers > Authentication and click
New.

The Create a New Authentication Provider page appears.

In the
Name field, enter a name for the Oracle
Internet Directory Authentication provider.

From the
Type drop-down list, select
OracleInternetDirectoryAuthenticator and click
OK.

Select Providers > Authentication and
click the name of the new Oracle Internet Directory Authentication
provider to complete its configuration.

On the Configuration page for the Oracle Internet Directory
Authentication provider, set the desired values on the
Common tab. If you are configuring multiple
Authentication providers, refer to Set the JAAS control
flag.

Select the Provider Specific tab.

In the section labeled Connection, specify
the following:

The host and port of the machine hosting the Oracle Internet
Directory LDAP server

The credentials of the LDAP user that WebLogic Server should
use for making a connection

If the user name attribute for the user object class in the
LDAP directory structure is a type other than cn,
change that type in the settings for each of the following
attributes: All Users Filter,
User From Name Filter, and User
Name Attribute. For example, if the user name
attribute type is uid, change All
Users Filter to
(&(uid=*)(objectclass=person))).

Note: When specifying an LDAP search filter for users or
groups, wildcards are accepted. However, using multiple asterisk
wildcards, particularly for a user or group name attribute, has
a negative performance impact on the LDAP server.

In the section labeled Groups, adjust the
following settings as necessary to match the directory structure for
groups in the Oracle Internet Directory LDAP server. (Example changes
are shown in bold.)

If the group name attribute for the static group object in
the LDAP directory structure is a type other than
cn, change that type in the settings for the
All Groups Filter and Group From
Name Filter attributes.

For example, if the static group name attribute is type
uid, change All Groups
Filter to
(&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))),
and change Group From Name Filter to
(|(&(uid=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))

If the group name attribute for the dynamic group object in
the LDAP directory structure is a type other than
cn, change that type in the settings for the
All Groups Filter and Group From
Name Filter attributes.

For example, if the dynamic group name attribute is type
uid, change All Groups
Filter to
(&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))),
and change Group From Name Filter to
(|(&(cn=%g)(objectclass=groupofUniqueNames))(&(uid=%g)(objectclass=orcldynamicgroup))).

If the static group object class name in the LDAP directory
structure is groupofnames (instead of
groupofuniquenames), and the static member DN
attribute is of type member (instead of
uniquemember), change the
objectclass element in the All Groups
Filter and Group From Name
Filter attributes.

For example, set All Groups Filter as
(&(cn=*)(|(objectclass=groupofnames)(objectclass=orcldynamicgroup))),
and set Group From Name Filter as
(|(&(cn=%g)(objectclass=groupofnames))(&(cn=%g)(objectclass=orcldynamicgroup))).

In the section labeled Static Groups, make
the following changes, if necessary, to match the schema definition of
static groups in the Oracle Internet Directory LDAP server:

If the group name attribute type of the static group object
class is a type other than cn, specify that type
in Static Group Name Attribute. Note that
the type you specify must be consistent with the name attribute
type specified in the All Groups Filter and
Group From Name Filter attributes.

Change Static Group Object Class to
groupofnames, if necessary, and make sure it
matches the class name specified in the All Groups
Filter and Group From Name
Filter attributes.

If Static Group Object Class is
groupofnames, change Static Member DN
Attribute to member.

In the section labeled Dynamic Groups,
make sure Dynamic Group Name Attribute matches
the name attribute type specified in the All Groups
Filter and Group From Name Filter
attributes.

Click
Save to save your changes.

In the
Change Center, click Activate Changes and then
restart WebLogic Server.